CVE-2024-33615 CyberPower CVE debrief

Who should care

Organizations using CyberPower PowerPanel Business for UPS management in data centers, critical infrastructure, and industrial environments. Security teams responsible for OT/ICS asset protection and infrastructure administrators managing power distribution systems.

Technical summary

CyberPower PowerPanel Business versions 4.9.0 and earlier contain a path traversal vulnerability (CWE-22) in their ZIP file import functionality. An attacker can craft a malicious ZIP archive containing path traversal sequences (e.g., ../) that, when extracted, write files outside the intended directory. This arbitrary file write capability can lead to remote code execution by overwriting executable files or placing malicious scripts in locations executed by the application or system. The vulnerability requires low privileges and no user interaction, with network attack vector availability.

Defensive priority

HIGH

Recommended defensive actions

• Update CyberPower PowerPanel Business to version 4.10.1 or later
• Restrict import functionality to authorized administrative users only
• Implement network segmentation to limit exposure of PowerPanel Business management interfaces
• Monitor for suspicious ZIP file uploads and unexpected file system modifications
• Apply principle of least privilege to service accounts running PowerPanel Business
• Review and validate backup configurations to ensure rapid recovery capability

Evidence notes

CISA CSAF advisory ICSA-24-123-01 identifies the vulnerability as a path traversal in ZIP file handling. CVSS 3.0 vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Affected product: CyberPower PowerPanel Business <=4.9.0. Vendor fix available: update to v4.10.1 or later. Advisory revised 2024-05-06 to add CVSS scores and 2025-08-07 to update CWE classification.

Official resources